| Name |
Capture Credentials via Keylogger |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information. |
| Prerequisites |
The ability to install the keylogger, either in person or remote. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of. |
|
| 2 |
Experiment |
[Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways. |
- Send a phishing email with a malicious attachment that installs a keylogger on a user's system
- Conceal a keylogger behind fake software and get the user to download the software
- Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
- Gain access to the user's system through a vulnerability and manually install a keylogger
|
| 3 |
Experiment |
[Record keystrokes] Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time. |
|
| 4 |
Experiment |
[Analyze data and determine credentials] Using the captured keystrokes, the adversary will be able to determine the credentials of the user. |
- Search for repeated sequences that are following by the enter key
- Search for repeated sequences that are not found in a dictionary
- Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence
|
| 5 |
Exploit |
[Use found credentials] After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack |
|
|
| Solutions | Strong physical security can help reduce the ability of an adversary to install a keylogger. |
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
| CAPEC-560 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. |
| CAPEC-561 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels. |
| CAPEC-569 |
An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions. |
| CAPEC-600 |
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. |
| CAPEC-653 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1056.001 |
Input Capture:Keylogging |
|